Thursday, August 10. 2006

Thanks to a patch from Scott MacVicar that I've just applied to CVS, PHP 5.2 will have support for httpOnly cookie flag. This neat little feature allows you to mark a newly created cookie as HTTP only, another words inaccessible to browser based scripting languages such as JavaScript. This means it would become far more difficult, if not impossible to steal a user's cookie based session by injecting JavaScript into a page and then using to read cookies.

This flag can be toggled by passing TRUE as the 7th parameter to the setcookie() and the setrawcookie() functions respectively. Ex:

The support of the httpOnly flag extends to the session extension as well, where it can be enabled by setting the session.cookie_httponly INI setting to 1. Or passing TRUE as the 5th parameter to the session_set_cookie_params() function.

I did some test prior to creating the patch and IE 6 SP1, Opera 9.01 and Konqueror had support. Safari may have support though I'm unaware of how much of KHTML they use.

Firefox currently has a patch but are being cautious in breaking backwards compatibility with the cookie file format.

It should be noted that this doesn't fix XSS attacks and is only useful when the cookies contain sensitive information, an attacker could still insert a script which executes an attack by manipulating the content of a page via the DOM.

Is the cookie specification being amended/revised to add the httpOnly flag, or is this something that one browser developer thought up? In short, I'm just curious to know who developed the idea of httpOnly and who is driving its adoption?

Well, doing a google search brings up a lot about IE, but http://weblogs.mozillazine.org/gerv/archives/2006/07/httponly_for_firefox.html brings up more information. It is a not a standard officially, but I'm sure it will be made one in the far future.

I think that stealing an httpOnly cookie is possible when you have an XSS vulnerability and the web server supports HEAD requests. But of course it is much more difficult to steal the cookie than without httpOnly.
Generally I like the httpOnly approach very much, even though it is coming from Microsoft. Maybe it would be a good idea to send out PHP's session cookies with the HttpOnly flag, as ASP.NET 2.0 does? Browsers other than IE then ignore the flag, therefore nothing breaks; and IE then disallows JavaScript access to the cookie (which is probably not used by many applications ). What do you think?

I'd be weary of enabling it by default for the session extension, given that some people maybe trying to access their PHP session id with JavaScript (intentionally), I've seen this happen in real life. But that's something that can be considered later.

It is also important to note that some browsers do break with this flag, IE on a mac is one notable example.

Not to appear rude - but I was hoping that PHP was becoming LESS of a mess. Why haphazardly add stuff until it's decided how it's going to turn out? I mean, come on, just LOOK at that. Ok, sure, it's a useful addition..it's still ugly as sin.

Firefox 2.0.0.5 have finally support for httponly http://forums.mozillazine.org/viewtopic.php?p=2965188

That's good to see php ready for that flag, of course this is not a 100% xss protection, but anyway, we should do everything possible in case we forgot to escape something.. (even google have xss, that's mean everyone can have)

Now browsers&plugins developers(like flash) must make sure what a cookie with httponly can't be seen by client side scripts.